Trust But Verify
Be intentional about how you spend your time. I believe that every person can incrementally improve their security program by being intentional about how they spend their time. One method is to be intentional about checking several items for compliance each and every month. While not intended to replace the value of an auditor, this approach can generate incremental value from the overall compliance process. If you have the requirement to be in compliance with PCI, you are in luck! You could easily create a table that pairs one of the 12 categories with one of the 12 months in a calendar year. Inside each month, you could list several items that are important to verify. When printed out and kept nearby, it can serve as a reminder to be diligent about tracking progress over time. Compare this table year over year and look for trends that will help identify the sometimes small areas to focus on that can make a big impact.
I have used this approach to expect more out of myself and to set the bar just a little bit higher. I found success in showing this matrix to outside auditors and received positive feedback. There was nothing magic about this table, it just forced me to be intentional each and every month. Using this approach, unexpected “compliance drift” can be identified and remediated on a much more timely basis. This approach can be used inside several of the regulatory compliance requirements. If you do not have one, ask friends and colleagues who do to learn what they find beneficial in their respective environments. As always, a great place to start is with the 20 Security Controls.
Can you make it easier on yourself to do the right thing by being intentional? It believe it is absolutely possible to leverage systems like this to make it easier to do the right thing.
What systems do you use to force you to be intentional? Please use the comments section to share what works for you.
Russell Eubanks
@russelleubanks
Keywords: compliance Critical Controls
1 comment(s)
My next class:
Performing A Cybersecurity Risk Assessment | New Orleans | Feb 17th - Feb 18th 2025 |
×
Diary Archives
Comments
“I like the term "intentional" because that is what was done. Security does not happen by a lucky accident but by focused intent. It takes more time to set up initially but it really worked well for me. Ultimately it took less time to maintain a secure system than it would have to clean up after a big problem.“
Great insight. Keep them coming!
Russell
Anonymous
May 29th 2015
9 years ago